asp.net - Unable to pass '<' in URL as parameter

Question

Why am I unable to pass '<' character as a parameter in the URL? If I do:

http://localhost:9566/?myVar=2 that is ok

But I cannot do:

http://localhost:9566/?myVar=<foo> Why does this give me an error?

When I URL-encode <foo> I get %3Cfoo%3E.

And when I do http://localhost:9566/?myVar=%3Cfoo%3E, I still get the same error:

Answer 1

这是设计使然。您尝试传递的字符可能会被用于跨站点脚本 (XSS) 攻击。

以下是一些链接，可帮助您开始了解 XSS 是什么：

• https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
• http://www.cgisecurity.com/xss-faq.html

虽然您可以禁用这种类型的验证，但我不推荐它。您真的需要在查询字符串参数中传递标签吗？